Skip to content

Fix people index for non-admin access (#1490)#1496

Draft
maebeale wants to merge 1 commit into
mainfrom
maebeale/fix-issue-1490
Draft

Fix people index for non-admin access (#1490)#1496
maebeale wants to merge 1 commit into
mainfrom
maebeale/fix-issue-1490

Conversation

@maebeale
Copy link
Copy Markdown
Collaborator

@maebeale maebeale commented May 15, 2026
edited
Loading

Closes #1490

What is the goal of this PR and why is this important?

  • In preparation for exposing the Person profile to non-admins, harden the /people index so it doesn't crash on a search filter and renders only links the viewer can follow.

How did you approach the change?

  • Ambiguous end_date: qualified the column inside Affiliation.active (affiliations.end_date) so merging it onto a relation that also joins organizations (which has its own end_date) no longer raises Trilogy::ProtocolError: 1052: Column 'end_date' in where clause is ambiguous. Added regression tests that join :organization and that chain Person.with_active_affiliations.search_by_params(organization_name: ...).
  • Policy-aware links in app/views/people/people_results.html.erb: gated the person profile button, organization affiliation pills, and the overflow +N link with allowed_to?(:show?, ...). When the viewer lacks access, the same content renders as plain text instead of a link. Expanded the fragment-cache key to include whether the viewer owns the row so policy-gated output stays correct.
  • Note: the locked-user filter and the index policy change are not in this PR — those landed in Hide locked users' profiles from the non-admin people index #1489 / HOLD UNTIL READY TO LAUNCH: Allow authenticated users to access the people index and search #1494.

UI Testing Checklist

  • As an admin, /people renders with all existing links (person profile, organization pills, edit, user)
  • As an admin, filtering by organization_name no longer 500s (regression check for the ambiguous column)
  • (Once the index opens to non-admins) confirm organization pills render as plain text when OrganizationPolicy#show? returns false
  • (Once the index opens to non-admins) confirm an owner sees a working link to their own profile row

Anything else to add?

  • The index controller still uses PersonPolicy#index? (admin-only on main), so the view changes are dormant until the policy opens up. The third issue checklist item ("check policies for all links in the index results") is addressed defensively rather than waiting for the policy change.

🤖 Generated with Claude Code

@maebeale @claude
Fix people index for non-admin access (#1490)
733b31e 
Prepares the people index to be safe when exposed to non-admins:
qualifies the ambiguous `end_date` in `Affiliation.active`, hides
people whose user account is locked from the non-admin scope, and
gates the index's person/organization links by their show policy
so they degrade gracefully when the viewer lacks access.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@maebeale maebeale force-pushed the maebeale/fix-issue-1490 branch from 402d15f to 733b31e Compare May 15, 2026 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Non-Admin User - People index fixes

1 participant

@maebeale